Shoppers in New Jersey were promised increased privacy after Governor Chris Christie signed the Personal Information and Privacy Protection Act that limits the collection and use of personal information obtained from consumers.
Pursuant to the statute, a retail establishment may scan an individual’s “identification card” (defined as a driver’s license, probationary license, nondriver photo identification card or other state-issued identification card) only for eight enumerated purposes. Those reasons include establishing or maintaining a contractual relationship as well as recording, retaining or transmitting information as required by state or federal law.
Businesses may use the data to verify the authenticity of the identification card or to verify the identity of the person if the individual pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange. The card may also be used to verify the person’s age when a business provides age-restricted goods or services.
The prevention of fraud or other criminal activity can also form the basis for scanning an identification card. For example, scanning would be proper when an individual returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system. Scanning may also serve to limit fraud related to a credit transaction or the management of a credit account.
Finally, the statute permits the use of the individual’s data to transmit information to a consumer reporting agency, financial institution or debt collector to be used as permitted by the Fair Credit Reporting Act or other relevant federal laws. Such use is also permissible in order to record, retain or transmit information pursuant to the Health Insurance Portability and Accountability Act.
The new law—set to take effect Oct. 1—also states that even if a retailer reviews the card for one of the permitted purposes, it may scan only certain information: the person’s name, address and date of birth; the state issuing the identification card; and the card’s number. Other data found on the card (the individual’s photograph, for example, or any restrictions on a license) may not be scanned, and retailers may not retain information gathered for the verification of authenticity and age.
Information collected must be “securely stored,” and any breach must be reported in accordance with the state’s data breach notification law. The law also limits the sale or dissemination of the data to third parties “for any purpose, including marketing, advertising, or promotional activities,” with an exception for issuing a reward coupon to loyal customers.
Pursuant to the statute, both the state attorney general’s office and consumers have the right to recover for violations of the statute. The AG may seek a $2,500 civil penalty for a first violation and $5,000 for each subsequent violation, while consumers “can bring an action in Superior Court to recover damages.”
To read the Personal Information and Privacy Protection Act, click here.
Why it matters: Given the looming effective date of Oct. 1, retail establishments in New Jersey should familiarize themselves with the new law, particularly as it provides avenues of recovery for consumers as well as the state attorney general’s office for violations of the law.